Ensuring all VLANs/subnets are covered in VA & industry practices

Q1
As governance/compliance person, I'm often not being updated by network teams when
new VLANs / subnets are being created.  Network diagram may not be updated timely too.
What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

Q2
For Cisco switches/routers, is there a way to automatically configure something to obtain
output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or
TACACS+ do this?

Q3
For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only
servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
We have both Cisco & Nexus switches/routers, so do provide the commands
0
sunhuxAuthor Commented:
This whole thing arises from auditor: how do we ensure and show evidence
that all network segments are scanned (& he meant the relevant segments)
0
SIM50Commented:
As governance/compliance person, I'm often not being updated by network teams when new VLANs / subnets are being created.  Network diagram may not be updated timely too. What are the surest ways to check?  Get a readonly account on the core-switch & issue
a command to see all the VLANs there?  Or where is the best place/device to see all
VLANs/subnets in a corporate?

I think it would be better to look at the routing table to see if new routes were installed. Take a snapshot and then run a compare from time to time. The core switch would be the best place to look it up. I wouldn't look at the VLANs because not all of them might exist on that switch.
Edit: Forgot to mention this. It also depends on your internal routing protocol. For EIGRP, this would work no problem. For OSPF, I would get a routing table from each ASBR as the routes are usually summarized when they cross area boundaries.

For Cisco switches/routers, is there a way to automatically configure something to obtain output of a certain command (say 'show vlan all') & get it emailed out?  Can Tripwire or TACACS+ do this?

Look up Cisco Embedded Event Manager (EEM). There are applets for what you want. Might require a bit of scripting.

For internal VA scans, what are the subnets/VLANs that are scanned?  Do they scan only servers VLANs/zones only ie DMZ, Apps/internal, DB & management zones only (is
Management crucial)  or  users/PCs VLANs plus DR and UAT VLANs (where DR/UAT
servers sit) as well?

Not sure what you are asking here. Can you please elaborate? What is VA, UAT?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
VA = Vulnerability Assessment
Some VA tools are like Nessus, McAfee Vulnerability Manager

UAT = a User Acceptance Test (ie a test server)
0
SIM50Commented:
I do network security designs and implementations so systems and policies are not really my forte. From my experience though, vulnerability scanning depends on the corporate policy and the compliance standard a company falls under. Like for PCI, you should scan all devices that fall in the scope. Scanning the rest depends on the policy but usually you scan all internet facing and important servers (AD, DBs, etc) and devices.

Management VLAN should be locked down to access only from certain PCs and ideally those PC's should be scanned.

User PC's usually fall under one departmental or company management policy from AD GPOs and WSUS. You can take a sample of PCs and scan them. The results should be similar.

For DR, it depends what kind of DR. Does it have live data for hot failover? If yes then it falls under the same scanning policy as production. If it's warm DR than you need to scan storage devices with the backup data.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.